Data Protection Impact Assessment (DPIA) – Screening Questions
Overview
A Data Protection Impact Assessment (DPIA) is essential to ensure that new systems and processes are compliant with Data Protection Legislation (GDPR and the Data Protection Act 2018). A DPIA is mandatory when introducing new technology or where the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The risk is considered high when processing personal information about a living person. Failure to carry out a DPIA, or failure to carry one out correctly when the risk is high, may result in a large fine.
What is Personal Data?
“personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
It may be that a single piece of information can identify an individual, or it may be that it requires a combination of information to identify them. The following information would be considered personal data:
· Name
· Address
· Date of birth
· Email address (personal and work)
· NI number
· Bank details
Personal data also extends to items such as a photo, posts on social media or an IP address.
What is Special Category Data?
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.”
The following information would be considered special category data:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data*
- Data concerning health
- Data concerning a person’s sex life
- Data concerning a person’s sexual orientation
*Biometric Data: physical or physiological identification techniques – e.g. fingerprint verification, facial/voice recognition, keystroke/handwriting analysis, gait and gaze analysis.
In order to determine whether a DPIA is necessary, insert the required information into the table below and complete the checklist.
If the answer is YES to any of the screening questions in the checklist then a DPIA must be carried out.
Data Protection Impact Assessment (DPIA) – Screening Questions
|
Project/Process Title |
Development of Harrogate Care and Support Hub |
|
Directorate / Service Area |
Health and Adult Services |
|
Overview of Project/Process |
A strategic business case was previously approved in January 2025 to address escalating pressures within the Health and Adult Services budget, driven by increasing demand for high‑cost specialist residential dementia care and intermediate care in the independent sector. The approved proposal set out an invest‑to‑save market management intervention to replace the Council’s in‑house Elderly Person’s Homes with up to five new‑build Care & Support Hubs (CSH) across the county, delivering specialist dementia and rehabilitation‑focused intermediate care. The Executive decision was informed by an options appraisal, market analysis and indicative modelling of capital and revenue impacts, including phased delivery and site feasibility work. This report sets out a proposal to move forward with the development of a new 60-bed CSH in Harrogate. Site-specific capital costs on the confirmed site on Ainsty Road in Harrogate and associated feasibility studies and surveys are explained. Revenue costs, financial benefits and return on investment calculations are tailored to meet the exact proposals set out within this Hub. Key risks and legal considerations are set out alongside mitigations. |
|
Screening Questions |
Yes |
No |
Justification for Answer |
|
Will your project/app/system involve processing of information about individuals which includes special category or criminal conviction data? Please note this does include ‘anonymous’ data within these categories if unique identifiers such as initials or reference numbers are also processed. If you are processing any of the below types of personal data your answer should be YES: · Racial or ethnic origin · Political opinions · Religious or philosophical beliefs · Trade union membership · Genetic data · Biometric data · Data concerning health · Data concerning a person’s sex life · Data concerning a person’s sexual orientation · Criminal conviction data |
☐ |
☒ |
No individual processing of information will be included in this project. |
|
Will you be collecting new personal information about individuals, or information which, if breached could have a significant impact on an individual? Examples where the answer would be YES: · This a new system/process processing personal data that has not been previously collected · This is an existing system/process processing personal data but additional data must be collected due to a change in scope of the system/process · Data which has routinely been collected is being collected in a new way, this data is very sensitive and would cause distress to the data subject if it was breached |
☐ |
☒ |
This programme of work would see the replacement of the Council’s in-house older people’s residential care service; currently known as Elderly Person’s Homes (EPHs) in Starbeck in Harrogate with a new-build Care & Support Hub in Harrogate. |
|
Will information about individuals be disclosed or shared with organisations or people who have not previously had routine access to the information? Example of where the answer would be YES: · There is a requirement to share information with an external 3rd party who has not previously had access to the data. This would also result in the need for a Data Sharing Agreement (DSA). |
☐ |
☒ |
No personal information will be shared with organisations or people who have not previously had routine access to information. |
|
Are you going to use information you already hold about individuals for a purpose it is not currently used for? Example of where the answer would be YES: Matching information from different systems/data sources, where purpose/lawful basis of original data collection may differ Details of the Information Asset in question will be contained within NYC’s Information Asset Register (IAR) and the purpose for processing, along with the legal basis for processing will be recorded. The way information will be used in this new system/process must match the existing purpose/legal basis, otherwise a DPIA is required |
☐ |
☒ |
This programme involves re-shaping of services and will not manage or process any personal data. |
|
Does the project involve using technology which might be perceived as privacy intrusive or monitoring any publicly accessible areas? For example, CCTV, facial recognition, use of biometrics* such as thumb prints, Vehicle number plate recognition or location tracking. |
☐ |
☒ |
|
|
Does any phase of project/system/ app use automated decision making based on information provided by the individual or received from a 3rd party? Automated individual decision-making is a decision made by automated means without any human involvement (e.g. online credit checks). Example of where the answer would be YES: · A new piece of software is being implemented which checks an applicant’s geographical location, age and household income and automatically offers a free service to eligible applicants when certain conditions are met |
☐ |
☒ |
|
|
Will the project include marketing or contacting individuals which may be considered intrusive? By phone, by email or by post, where they have not be informed/are not expecting that this contact will take place. Example of where the answer would be YES: · I have access to a list of email addresses which were collected for the purpose of setting people up as users of their local library. I’d like to send them a notice about a new transport services available that operate near the library. |
☐ |
☒ |
|
|
Will the project include data matching from different sources or profiling? Combining, comparing or matching personal data obtained from multiple sources. Example of where the answer would be YES: · Matching data from two/three different children’s systems to understand which children may be eligible to join a new learning programme. |
☐ |
☒ |
|
|
Will you be conducting large scale processing, this includes numbers, duration and geographical spread? Example of where the answer would be YES: · Processing data related to all/most children who reside in North Yorkshire · Tracking all/most individuals using public transport systems in North Yorkshire |
☐ |
☒ |
If you have answered YES to any of the questions above then a full DPIA must be carried out.
If you have answered NO to ALL of the above screening questions then a DPIA is not necessary. Please complete the declaration below and email a copy to the Data Governance Team, email: datagovernance@northyorks.gov.uk.
|
Date of Assessment |
27/04/26 |
|
Project Sponsor Name |
Chris Watson (AD – Adult Social Care) |
|
Project Sponsor Signature |
C. Watson |
Note: If the scope of work changes in any way then the pre-assessment MUST be repeated.